Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide cloud-based identity and access management, the providing comprising: receiving, at a first service of a cloud-based identity and access management service, a request from a client for obtaining an access token for a user to access a resource, wherein the client comprises a software application; determining, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource; accessing, by the first service, a second service of the cloud-based identity and access management service based on the request; and performing an identity management service by the second service based on the request by generating the access token that identifies the tenancy of the resource and the tenancy of the user, wherein the access token permits the requesting client access to the resource and permits a requesting internal service of the cloud-based identity and access management service access to a secure application programming interface for a target internal service of the cloud-based identity and access management service.
2. The computer readable medium of claim 1 , wherein the user, the client, and the resource each comprising entities of the cloud-based identity and access management service.
A cloud-based identity and access management (IAM) system manages authentication and authorization for users, clients, and resources within a cloud environment. The system ensures secure access control by verifying identities and enforcing permissions. However, existing IAM solutions often lack dynamic, context-aware access policies that adapt to real-time conditions, leading to security gaps or overly restrictive access. The invention improves IAM by implementing a policy engine that dynamically evaluates access requests based on contextual factors such as user behavior, device security posture, and environmental conditions. The system includes a user entity, a client entity, and a resource entity, all managed within the cloud-based IAM service. The policy engine assesses these entities in real-time to determine whether access should be granted or denied. For example, if a user attempts to access a resource from an untrusted device, the system may block the request or require additional authentication. Similarly, if a client application exhibits suspicious behavior, access to sensitive resources may be restricted. The invention enhances security by continuously monitoring and adapting access policies, reducing the risk of unauthorized access while maintaining usability. The dynamic evaluation of user, client, and resource entities ensures that access decisions are contextually relevant and responsive to evolving threats. This approach improves upon traditional static IAM policies, which rely on predefined rules that may not account for real-time risks.
3. The computer readable medium of claim 1 , wherein the requesting internal service of the cloud-based identity and access management service comprises the first service, the target internal service of the cloud-based identity and access management service comprises a third service of the cloud-based identity and access management service, and the third service performs system for cross-domain identity management services (“SCIM”).
This invention relates to cloud-based identity and access management (IAM) systems, specifically addressing challenges in securely and efficiently managing identity data across different services within the cloud environment. The system enables seamless communication between internal services of the IAM platform, particularly when one service requests access to identity data managed by another service. The invention focuses on a scenario where a first service within the IAM platform acts as the requesting service, while a third service, which implements the System for Cross-Domain Identity Management (SCIM) protocol, acts as the target service. SCIM is a standardized protocol for automating the exchange of user identity information between identity providers and service providers. The invention ensures that the requesting service can securely retrieve or update identity data from the SCIM-compliant service, facilitating interoperability and reducing manual identity management tasks. The solution enhances security by enforcing access controls and authentication mechanisms during these interactions, ensuring that only authorized services can request and modify identity data. This approach improves efficiency by automating identity data synchronization across services, reducing administrative overhead, and minimizing errors associated with manual identity management processes. The invention is particularly useful in large-scale cloud environments where multiple services need to share and manage identity information securely and efficiently.
4. The computer readable medium of claim 1 , wherein, the cloud-based identity and access management service includes a plurality of microservices, and the generated access token is used to secure microservice to microservice communication.
This invention relates to cloud-based identity and access management (IAM) systems, specifically addressing secure communication between microservices in a distributed architecture. The system generates access tokens to authenticate and authorize interactions between microservices, ensuring secure and controlled communication within the cloud environment. The IAM service is composed of multiple microservices, each handling distinct functions such as authentication, authorization, and token management. The generated access tokens are used to verify the identity of microservices when they communicate with each other, preventing unauthorized access and ensuring data integrity. The tokens may include encoded claims about the requesting microservice, such as permissions, expiration time, and issuer information, to enforce fine-grained access control. The system dynamically validates these tokens during inter-microservice communication, allowing only authorized requests to proceed. This approach enhances security by reducing reliance on shared credentials and implementing a decentralized, token-based authentication model. The solution is particularly useful in cloud-native applications where microservices must interact securely without exposing sensitive credentials.
5. The computer readable medium of claim 1 , wherein the providing further comprises: sending, by the first service, the generated access token to an application enforcement point, wherein the application enforcement point grants the requesting client access to a cloud based application or a mobile application after receiving the generated access token.
This invention relates to secure access control in cloud and mobile applications. The problem addressed is the need for a reliable mechanism to authenticate and authorize clients requesting access to applications, ensuring secure and controlled entry. The solution involves a system where a first service generates an access token in response to a client's request. This token is then sent to an application enforcement point, which validates the token and grants the requesting client access to either a cloud-based application or a mobile application. The enforcement point acts as a gatekeeper, ensuring that only clients with valid tokens can proceed. The token generation process may involve verifying the client's identity and permissions before issuing the token. This approach enhances security by centralizing access control and reducing the risk of unauthorized access. The system is particularly useful in environments where multiple applications need to be secured under a unified authentication framework. The invention improves upon existing methods by streamlining the token distribution process and ensuring seamless integration with enforcement points.
6. The computer readable medium of claim 5 , wherein the resource comprises the cloud based application or mobile application.
A system and method for managing and optimizing resource allocation in cloud-based or mobile applications. The technology addresses inefficiencies in resource utilization, such as computational power, storage, or network bandwidth, which can lead to performance degradation, increased costs, or poor user experience. The invention provides a dynamic resource allocation mechanism that monitors application performance and adjusts resource distribution in real-time based on demand, usage patterns, and system constraints. This includes identifying underutilized or overutilized resources and reallocating them to optimize efficiency. The system may also predict future resource needs using historical data and machine learning algorithms to preemptively adjust allocations. Additionally, the invention may integrate with cloud-based or mobile application frameworks to ensure seamless resource management without requiring extensive modifications to existing applications. The solution aims to reduce operational costs, improve scalability, and enhance overall system performance by ensuring resources are allocated optimally according to current and anticipated needs.
7. The computer readable medium of claim 1 , wherein the request indicates an OAuth authorization standard for authenticating the user and obtaining the access token, and the client is an OAuth client.
This invention relates to a system for securely authenticating users and obtaining access tokens using the OAuth authorization standard. The system involves a client application that sends a request to an authentication server to authenticate a user and retrieve an access token. The request specifies that OAuth is the authorization standard being used, and the client is configured as an OAuth client, meaning it adheres to OAuth protocols for handling authentication and token management. The authentication server processes the request, verifies the user's credentials, and if successful, issues an access token that the client can use to access protected resources on behalf of the user. The system ensures secure and standardized authentication by leveraging OAuth, which is widely used for delegated authorization in web and mobile applications. The client and server communicate using OAuth-compliant messages, ensuring interoperability and security. The invention improves upon existing authentication methods by providing a structured, standardized approach to token-based access control, reducing the risk of unauthorized access while maintaining usability. The system is particularly useful in environments where multiple applications need to securely access user data without exposing credentials.
8. The computer readable medium of claim 1 , wherein accessing the secure application programming interface for the target internal service comprises transmitting, by the requesting internal service, an Hyper Text Transfer Protocol (HTTP) messages that include the access token to the target internal service.
This invention relates to secure communication between internal services within a computing system, particularly focusing on authentication and authorization mechanisms for accessing internal application programming interfaces (APIs). The problem addressed is ensuring secure and controlled access to internal services while maintaining efficient communication between them. The invention involves a method for accessing a secure API of a target internal service. A requesting internal service obtains an access token, which is a credential used to authenticate and authorize the request. The requesting service then transmits an HTTP message to the target service, where the message includes the access token. The target service validates the token to verify the requesting service's permissions before granting access to the requested API. This approach ensures that only authorized services can communicate with each other, preventing unauthorized access and maintaining system security. The access token may be obtained through various means, such as an authentication server or a token service, and can include additional security features like encryption or expiration times. The HTTP message may also include other metadata, such as request headers or payloads, to further facilitate secure communication. This method is particularly useful in microservices architectures or distributed systems where multiple internal services need to interact securely.
9. The computer readable medium of claim 1 , wherein first service is part of a routing tier for the cloud-based identity and access management service.
A system for managing identity and access in cloud-based environments addresses the challenge of securely routing authentication and authorization requests within a distributed architecture. The system includes a routing tier that processes requests from client devices, determining the appropriate service endpoints for handling authentication, token issuance, or policy evaluation. The routing tier acts as an intermediary, distributing requests to specialized services based on factors such as request type, user identity, or organizational policies. This ensures efficient load balancing, reduces latency, and maintains security by centralizing access control decisions. The routing tier may also enforce additional security measures, such as request validation, rate limiting, or logging, before forwarding requests to downstream services. By integrating with cloud-based identity and access management (IAM) systems, the routing tier enables scalable and secure access management across distributed applications and services. The system improves performance by minimizing redundant processing and ensures compliance with security policies by standardizing request handling. This approach is particularly useful in multi-tenant cloud environments where dynamic routing and policy enforcement are critical for maintaining security and operational efficiency.
10. A method of providing cloud-based identity and access management service, comprising: receiving, at a first service of a cloud-based identity and access management service, a request from a client for obtaining an access token for a user to access a resource, wherein the client comprises a software application; determining, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource; accessing, by the first service, a second service of the cloud-based identity and access management service based on the request; and performing an identity management service by the second service based on the request by generating the access token that identifies the tenancy of the resource and the tenancy of the user, wherein the access token permits the requesting client access to the resource and permits a requesting internal service of the cloud-based identity and access management service access to a secure application programming interface for a target internal service of the cloud-based identity and access management service.
Cloud-based identity and access management (IAM) systems authenticate users and control access to resources. A challenge in such systems is securely managing access tokens across different tenants (isolated environments) while ensuring proper authorization for both external clients and internal services. This invention describes a method for providing a cloud-based IAM service. When a client application requests an access token to access a resource, the system receives the request at a first service within the IAM platform. The system determines the tenancy of the client, the user, and the resource involved in the request. The first service then interacts with a second service within the IAM platform to perform identity management. The second service generates an access token that includes identifiers for both the user’s tenancy and the resource’s tenancy. This token allows the client to access the requested resource. Additionally, the token enables internal services within the IAM platform to securely access a target internal service via a protected API, ensuring proper authorization and isolation between tenants. The system ensures secure and efficient access control while maintaining tenant separation.
11. The method of claim 10 , wherein the user, the client, and the resource each comprising entities of the cloud-based identity and access management service.
A cloud-based identity and access management (IAM) system manages authentication and authorization for users, clients, and resources within a cloud environment. The system ensures secure access control by verifying identities and enforcing permissions. A method for managing access involves receiving an access request from a user or client, validating the request against stored identity data, and determining whether the requester has the necessary permissions to access a specified resource. The system may also track access attempts, log activities, and apply policies to restrict or grant access based on predefined rules. The method further includes dynamically adjusting permissions based on contextual factors such as time, location, or device security status. The system ensures that all entities—users, clients, and resources—are registered and managed within the IAM service, maintaining a centralized and consistent access control framework. This approach enhances security by reducing unauthorized access risks and simplifying administration through automated policy enforcement. The system may also integrate with external identity providers or directories to extend its functionality. The method supports scalable and flexible access management, adapting to varying cloud environments and compliance requirements.
12. The method of claim 10 , wherein the requesting internal service of the cloud-based identity and access management service comprises the first service, the target internal service of the cloud-based identity and access management service comprises a third service of the cloud-based identity and access management service, and the third service performs system for cross-domain identity management services (“SCIM”).
A cloud-based identity and access management (IAM) system manages authentication and authorization across multiple services. A challenge in such systems is securely and efficiently transferring identity and access data between internal services, especially when one service requires cross-domain identity management. This invention addresses this by enabling a first internal service to request access to a third internal service that provides System for Cross-Domain Identity Management (SCIM) functionality. The first service sends a request to a second internal service, which validates the request and forwards it to the third service. The third service, acting as the SCIM provider, processes the request and returns the requested identity or access data to the second service, which then relays it to the first service. This ensures secure and controlled communication between services while maintaining proper access controls. The system avoids direct communication between the first and third services, reducing security risks and simplifying inter-service interactions. The method supports dynamic access requests, allowing services to retrieve or update identity and access information as needed without manual intervention. This approach enhances scalability and flexibility in cloud-based IAM environments.
13. The method of claim 10 , wherein, the cloud-based identity and access management service includes a plurality of microservices, and the generated access token is used to secure microservice to microservice communication.
This invention relates to cloud-based identity and access management (IAM) systems, specifically addressing secure communication between microservices in a distributed architecture. The problem solved is ensuring authenticated and authorized interactions between microservices without exposing sensitive credentials or relying on centralized authentication mechanisms that can become bottlenecks. The system includes a cloud-based IAM service that manages access control for microservices. The IAM service generates access tokens, which are cryptographic credentials used to verify the identity and permissions of a requesting microservice when communicating with another microservice. These tokens are issued based on predefined policies and are used to secure inter-service communication, ensuring that only authorized microservices can exchange data or invoke functions. The access tokens are dynamically generated and include claims that define the permissions and scope of access for the requesting microservice. When one microservice needs to communicate with another, it presents the token, which is validated by the receiving microservice to confirm the sender's identity and permissions. This approach eliminates the need for hardcoded credentials and reduces the risk of unauthorized access. The system also supports fine-grained access control, allowing administrators to define specific permissions for each microservice interaction. The IAM service may include additional features such as token revocation, expiration, and auditing to enhance security. This method ensures secure, scalable, and efficient communication between microservices in a cloud environment.
14. The method of claim 10 , further comprising: sending, by the first service, the generated access token to an application enforcement point, wherein the application enforcement point grants the requesting client access to a cloud based application or a mobile application after receiving the generated access token.
This invention relates to access control systems for cloud-based and mobile applications. The problem addressed is securely managing access to applications by generating and validating access tokens. The method involves a first service receiving an access request from a client, authenticating the client, and generating an access token. This token is then sent to an application enforcement point, which uses it to grant the requesting client access to a cloud-based or mobile application. The authentication process may involve verifying credentials or other identifying information provided by the client. The access token serves as proof of authentication, allowing the enforcement point to authorize access without requiring the client to re-authenticate. This approach improves security by centralizing authentication and reducing the risk of unauthorized access. The system ensures that only authenticated clients can access protected applications, enhancing overall security in distributed environments. The method is particularly useful in scenarios where multiple applications need to be secured under a unified access control framework.
15. The method of claim 14 , wherein the resource comprises the cloud based application or mobile application.
A system and method for managing access to digital resources, such as cloud-based applications or mobile applications, addresses the challenge of securely controlling access to sensitive data and services. The invention provides a dynamic authorization framework that evaluates user requests against predefined policies to determine access permissions. This framework integrates with authentication systems to verify user identities before granting access. The method includes receiving an access request from a user, validating the user's credentials, and assessing the request against stored authorization rules. If the request complies with the policies, access is granted; otherwise, it is denied or redirected for further review. The system may also log access attempts for auditing purposes. The invention ensures that only authorized users can interact with protected resources, enhancing security while maintaining usability. The solution is particularly useful in environments where multiple users require varying levels of access to shared applications or services. By automating the authorization process, the system reduces administrative overhead and minimizes the risk of unauthorized access. The method supports both cloud-based and mobile applications, allowing seamless integration into existing digital ecosystems.
16. The method of claim 10 , wherein the request indicates an OAuth authorization standard for authenticating the user and obtaining the access token, and the client is an OAuth client.
This invention relates to user authentication and authorization systems, specifically for securely obtaining access tokens using OAuth standards. The problem addressed is the need for a reliable and standardized way to authenticate users and authorize applications (clients) to access protected resources without exposing sensitive credentials. The method involves a client application initiating a request to authenticate a user and obtain an access token. The request specifies that the OAuth authorization standard will be used for this process. The client is configured as an OAuth client, meaning it adheres to OAuth protocols for handling authentication and token management. The system processes the request by verifying the user's identity and, upon successful authentication, issues an access token that the client can use to access protected resources on behalf of the user. This approach ensures secure delegation of access without requiring the client to handle or store user credentials directly. The method may also include additional steps such as redirecting the user to an authorization server for authentication, validating the client's credentials, and generating a token response containing the access token. The OAuth standard ensures that the token is time-limited and can be revoked, enhancing security. This solution is particularly useful in distributed systems where multiple applications need secure access to user data or services.
17. A system for providing cloud-based identity and access management, the system comprising: a processor; a memory coupled to the processor comprising instructions that, when executed, cause the process to: receive, at a first service of a cloud-based identity and access management service, a request from a client for obtaining an access token for a user to access a resource, wherein the client comprises a software application; determine, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource; access, by the first service, a second service of the cloud-based identity and access management service based on the request; and perform an identity management service by the second service based on the request by generating the access token that identifies the tenancy of the resource and the tenancy of the user, wherein the access token permits the requesting client access to the resource and permits a requesting internal service of the cloud-based identity and access management service access to a secure application programming interface for a target internal service of the cloud-based identity and access management service.
This system provides cloud-based identity and access management (IAM) to control and authenticate user access to resources. The system addresses challenges in securely managing access permissions across multi-tenant cloud environments, ensuring that users, applications, and internal services can securely interact with resources while maintaining proper authorization boundaries. The system includes a processor and memory with instructions for executing IAM functions. When a client, such as a software application, requests an access token to access a resource, the system determines the tenancy associations of the client, user, and resource. A first service in the IAM system processes the request and interacts with a second service to perform identity management. The second service generates an access token that includes the tenancy information of both the user and the resource. This token allows the client to access the requested resource while also enabling internal services within the IAM system to securely interact with target internal services via protected APIs. The system ensures that access is granted only when the tenancy relationships are valid, enhancing security and compliance in cloud-based environments.
18. The system of claim 17 , wherein the user, the client, and the resource each comprising entities of the cloud-based identity and access management service.
A cloud-based identity and access management (IAM) system manages authentication and authorization for users, clients, and resources within a cloud environment. The system ensures secure access control by verifying identities and enforcing access policies. The invention enhances this system by integrating all entities—users, clients, and resources—under a unified cloud-based IAM service. This integration simplifies identity management, reduces administrative overhead, and improves security by centralizing access control policies. The system dynamically authenticates users, validates client requests, and authorizes resource access based on predefined rules. It supports multi-factor authentication, role-based access control, and real-time policy enforcement. The unified approach ensures consistent security across distributed cloud environments, reducing vulnerabilities from fragmented identity management. The system also provides audit logging and monitoring to track access events and detect anomalies. By consolidating identity and access management within a single cloud service, the invention improves scalability, reduces complexity, and enhances compliance with security standards. The solution is particularly useful for enterprises operating in hybrid or multi-cloud environments where centralized control over identities and permissions is critical.
19. The system of claim 17 , wherein the instructions cause the processor to: send, by the first service, the generated access token to an application enforcement point, wherein the application enforcement point grants the requesting client access to a cloud based application or a mobile application after receiving the generated access token.
This invention relates to a system for managing access to cloud-based or mobile applications. The system addresses the challenge of securely authenticating and authorizing clients to access applications while ensuring proper enforcement of access policies. The system includes a first service that generates an access token for a requesting client. This access token is then sent to an application enforcement point, which verifies the token and grants the client access to the requested application. The system ensures that only authenticated and authorized clients can access the application, enhancing security and compliance. The access token may include information such as user identity, permissions, and session details, allowing the enforcement point to make granular access decisions. This approach centralizes authentication and authorization, reducing the complexity of managing access controls across multiple applications. The system is particularly useful in environments where secure and scalable access management is required, such as enterprise cloud services or mobile application ecosystems.
20. The system of claim 19 , wherein the resource comprises the cloud based application or mobile application.
A system for managing digital resources in a cloud-based or mobile application environment addresses the challenge of efficiently allocating and tracking computational resources across distributed platforms. The system includes a resource allocation module that dynamically assigns processing power, memory, or storage to applications based on demand, ensuring optimal performance and cost efficiency. A monitoring module continuously evaluates resource usage, detecting inefficiencies or bottlenecks in real-time. When an imbalance is identified, the system automatically reallocates resources to maintain stability. The system also integrates with cloud-based or mobile applications, allowing seamless resource management across different platforms. This ensures that applications receive the necessary resources without manual intervention, improving scalability and user experience. The system may also include a user interface for administrators to configure resource allocation policies or view performance metrics. By automating resource management, the system reduces operational overhead and enhances the reliability of cloud and mobile applications.
Unknown
November 24, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.